nisse@lysator.liu.se (Niels Möller) writes:
I also received a report of an ecc secp256r1 miscomputation the other day, which I have been able to reproduce and want to fix.
I have fixed two bugs in the 64-bit C implementation of ecc_256_modp and ecc_256_modq, in ecc-256.c. It was carry propagation in unlikely cases not done right. These functions are a bit too hairy for their own good, maybe they ought to be rewritten using a simpler reduction scheme (they're not very preformance critical, but they should be kept side-channel silent).
It's not obviously exploitable, in the sense that it makes it easy to get ecdsa_verify to accept forged signatures, but not obvious doesn't imply not possible, of course.
I have let additional mod tests run overnight, and I haven't uncovered any problems in any of the other ecc curves, so the known bugs affect only nettle_secp_256r1.
Regards, /Niels